In 2017 the US National Institute of Science and Technology (NIST) published a wonderful document entitled “Digital Identity Guidelines - Authentication and Lifecycle Management” containing detailed guidelines and recommendations for password use. In addition, it expressed useful opinions about the (bad!) password policies that many systems and organisations work with. It may be because of this that Microsoft adjusted some of their default password policies. NIST Special Publication SP800-63b is freely available, and periodically updated.
How passwords get cracked
Let’s first look into how a password might get compromised - via the backend.
Typically a site or mobile service will have a databases containing at least your real name or “handle”, an email address, and your password. The password should not be stored in clear-text (sometimes this still happens though), but instead via a one-way cryptographic hash. To verify your access, the password you type in also gets hashed, and then compared with the stored version.
Because it is a one-way cryptographic hash, it is not possible to decrypt it to get out the clear-text password, which is good, but unfortunately that doesn’t mean it’s necessarily all safe. If a site gets compromised, the malicious actors may get their hands on the database which contains the above-mentioned information on users.
Decrypting passwords
So how does a malicious actor get from the encrypted hashes to clear-text passwords, matching up with your username and/or email? Well, generally speaking people pick very very bad passwords. “Princess” is one of the most popular, and “Password1!” is another. Princess is a dictionary word, that means that it’s directly derived from the (in this case English) dictionary, without modifications.
Computers have dictionaries too - so if they run each word through the appropriate one-way cryptographic hash and compare it with your hashed password, they might get a hit! This is a tedious job, but that’s exactly what computers are good at, it does not require anyone to keep an eye on that task.
The cracking tools will scan through the entire dictionary (more commonly used words first) and password list and output the information for the ones that they have cracked. This kind of brute-force approach may just “find” the password few thousand out of millions of entries in the user table, but that’s still quite a lot!
The bad actor is not really critically limited by time, as they can run the tasks on their own systems. Naturally, in due course the information will become dated, but it’s not a case of needing to get it done the same day.
More dictionaries
In addition to those basic dictionaries, there are public files from previous “events”. One such event is RockYou from 2009, yielding a list of 32 million completely unencrypted passwords. Because people are really much less original than they think they are, again some passwords are used much more often than others.
Variations
Replacing an capital O with a zero (0), a lowercase l with a one (1), or a capital E with a three (3), is kinda funny, but the computer does not care. Cracking programs try these variations along the way, and particularly when running on GPUs (graphics cards) they are very fast at it. At the same time, these modifications make the password more difficult for the user to remember.
Random
Now let’s get back to strategies and policies for picking passwords that are less susceptible to this landscape.
Wat do we mean by random? The password should not have any connection with you, and thus not be predictable. But that is traditionally hard, because things that you care about are easier to remember. And even some other things are really quick & easy to churn through for a bad actor and their tools.
Ideally, systems should allow you to use passwords with up to a decent number of characters (at least 12-14, many more would be nice), and choose from a broad range (lowercase, uppercase, space, numeric, special). Any restrictions in the length and/or the character space are very convenient for potential attackers. (If I ask you to think of any number between 1 and 3, which I then have to guess, it’s not a very difficult game, is it?)
Within the restrictions given you by the site or services (and you will find that some services are truly terrible with this - banks limiting you to between 6 and 8 characters, etc), you now need to come up with the best possible password. One that’ll give crackers a run for their money. With that ruleset in mind, it’s generally best to let the computer pick a password for you. Because that makes them hard to remember, you probably also want to start using a password manager. I’ll cover that in a separate post.
Browser managed passwords
For now, if you’re not doing any of this, you could start using your modern browser’s capabilities to help manage your passwords. This will enable you to have a different password for each service you use - so if one were to get compromised, that doesn’t affect anywhere else!
I already see colleagues frowning at me as I write this, and they are right: this approach is not perfect. But it’s a grand step up from nothing! Let’s see what the problems are, and try to mitigate them as best we can.
Browser bugs
Yep, this could compromise your password store. But for the mainstream browsers (Firefox, Chrome, Safari, Edge), they’re pretty well on the case. Just keep up-to-date.
One password to rule them all
This is a good aspect, as well as a bad. You don’t want to lose that one password, or see it get in to the wrong hands.
If you use Chrome, your password store will essentially reside behind your GMail login. How about you set up multi-factor authentication for that account, right now?
The same goes for other passwords where the password store is online “in the cloud”. If the password is stored just on your computer, make sure you read the documentation and make a regular backup copy. And if this is your home setup, do feel free to write down your password and put it in a drawer. The chances of your house getting broken in to, that piece of paper stolen as well as a copy of your passwords, are much lower than bad things happening online. (do keep away from children - they are way smarter with tech and online than they get credit for)
In an organisational setting, the bar is definitely higher, just don’t write down that one magic password. Here is where XKCD’s inimitable Randall can help you with this cartoon: